Microsoft Power Query for Excel - False Flagging by Intercept/Crashes Excel

Sophos support has confirmed a false positive and the ticket has been escalated to dev.

HI  Kyle, 

Thank You for an update , kindly let us know is there is any further progress. 

Thanks and Regards

Aditya Patel 

There has been no update and I can't get a response from Support.

HI Kyle , 

Could you Private message me the Service request number followed by the link to this thread for reference. I would like to follow on that issue and provide an accurate answer. 

Thanks and Regards

Aditya Patel 

HI Kyle, 

We have noted the issue is related False Positive and Will be fixed in the next release by the end of this month. 

Bug ID WINEP-6445

Thanks and Regards

Aditya Patel

Hi Adita

Can you confirm this False Positive was fixed?

We are running version 11.5.4 and getting 'CallerCheck' exploits when trying to use Power Query in Excel 2013, I have also raised a ticket with support.

Regards

Stephen

I have this same problem.  When I try to launch Power Query and connect to my SQL server from Excel 2013 the application closes and I get an alert from Sophos. This disrupts some of our employees who are trying to run reports using our Company Data-cubes in SQL.  

Then Excel closes immediately and I get this:

This is my installation:

Sorry I should have said one more thing! 

If I use the following work-around it allows me to connect to the SQL database, but this is not a good solution because it requires using TAMPER passwords to alter the installation.  We cannot distribute these passwords to the users...

Hey Leo and Stephen!

Out of interest, have you both tried setting an exclusion for this specific exploit detection in your Threat Protection policy? Some plugins can do things in memory which look quite similar to exploitative malware. While I do recommend you minimise making any exceptions in a policy (and if you do, make periodic checks to confirm whether the exceptions are still necessary), sometimes exceptions have to be made.

In the event you've not tried this, I've slapped together a quick screenshot showing an exploit detection in a specific application (here, Internet Explorer) being excluded in a Threat Protection policy.

Hey Leo and Stephen!

Out of interest, have you both tried setting an exclusion for this specific exploit detection in your Threat Protection policy? Some plugins can do things in memory which look quite similar to exploitative malware. While I do recommend you minimise making any exceptions in a policy (and if you do, make periodic checks to confirm whether the exceptions are still necessary), sometimes exceptions have to be made.

In the event you've not tried this, I've slapped together a quick screenshot showing an exploit detection in a specific application (here, Internet Explorer) being excluded in a Threat Protection policy.

Hi SecBug

I have put a Scanning Exclusion in place, which does not fix the issue.

As I said I do have a ticket open with support, they've sent me a test build (hasn't fixed the issue) and asked for some SDU logs.

One thing that does work is adding Excel in the Exploit Mitigation Exclusion.

Given that a lot of viruses are spread through Excel macros this isn't a brilliant solution, also this option is only available as a Global system setting and not as a Policy setting I could apply only to certain users to reduce the risk slightly?

Same problem here ...  Excel 2010 with Power Query.  Sophos gives a false positive when I try to connect to an internal database.  Adding Excel in exploit exclusion is not an option, this is the reason why we use sophos to discover strange behavour of files.

Is there already a solution provided ?